Fortinet FortiWeb Integer Overflow Vulnerability Allows Denial-of-Service Attacks
A newly disclosed integer overflow vulnerability in Fortinet FortiWeb (CVE-2026-39811) allows authenticated remote attackers to cause a denial-of-service condition via crafted HTTP requests.
Fortinet has released a security update to address a denial-of-service vulnerability in its FortiWeb web application firewall. Tracked as CVE-2026-39811 and reported by Jason McFadyen of Trend Research, the flaw resides in the cgi_buf_alloc function and can be exploited by authenticated remote attackers to force the server into an infinite loop, effectively crashing the service.
The vulnerability, disclosed through the Zero Day Initiative as ZDI-26-265, carries a CVSS score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). While authentication is required, the attack complexity is low, and no user interaction is needed. This makes it a significant concern for organizations relying on FortiWeb to protect their web applications.
Fortinet has issued a security advisory (FG-IR-26-108) with patches to correct the issue. The company recommends that all customers apply the update as soon as possible to mitigate the risk of exploitation. No workarounds have been provided, underscoring the importance of patching.
The vulnerability was responsibly disclosed to Fortinet on December 9, 2025, and the coordinated public release occurred on April 15, 2026. There are no reports of active exploitation in the wild at this time, but the availability of technical details could lead to attempts.
FortiWeb is a widely deployed web application firewall used to protect against application-layer attacks. A denial-of-service condition could disrupt critical web services, making this vulnerability a priority for security teams. Organizations should review their FortiWeb deployments and apply the patch promptly to maintain service availability.